{ "Event": { "analysis": "1", "date": "2024-04-12", "extends_uuid": "", "info": "[Threat Intel] Unpacking the Blackjack Group's Fuxnet Malware", "protected": false, "publish_timestamp": "1772407393", "published": true, "threat_level_id": "2", "timestamp": "1772407390", "uuid": "6bb1ef75-ec72-477d-871f-859ccc32eade", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"BlackJack\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Water\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Dragos\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Hacktivist\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772351879", "to_ids": false, "type": "link", "uuid": "709a2925-a1f1-40c9-b636-73d7576b5f41", "value": "https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772359824", "to_ids": false, "type": "link", "uuid": "b4ba8261-47f6-436c-a87c-9b916efed279", "value": "http://web.archive.org/web/20240417171016/https://ruexfil.com/mos/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772359846", "to_ids": false, "type": "text", "uuid": "ff666ca5-9d62-4306-8167-0f82a8e5c680", "value": "Russia's Industrial Sensor and Monitoring Infrastructure has been disabled: moscollector.ru\r\nHacked data is available at https://ruexfil.com/mos\r\n\r\nIt includes Russia's Network Operation Center (NOC) to monitors and control Gas, Water, Firealarm\r\nand many others, including a vast network of remote sensors and IoT controllers. A total of 87,000\r\nsensors have been disabled.\r\n\r\nMilestones:\r\n- Initial access June 2023.\r\n- Access to 112 Emergency Service. \r\n- 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...).\r\n- Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment\r\n (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).\r\n- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded\r\n control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).\r\n- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including\r\n the admins workstations) have been deleted.\r\n- Access to the office building has been disabled (all key-cards have been invalidated).\r\n- Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included)\r\n- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)\r\n\r\nThe media pack, screenshots and videos are available here: https://ruexfil.com/mos/takedown (.onion)\r\n\r\nIt contains:\r\n- GPS coordinates of all 87,000 sensors\r\n- Database of their internal and secure Messaging Platform (Dialog; used by Moscollector employees).\r\n- Screenshots of the Network Operation Centre\r\n- Screenshots of servers, routers, databases, ...\r\n- Screenshots of maps, blueprints of buildings, ... etc etc\r\n- Screenshots accessing their domain registrar\r\n- Screenshots of FuxNet source code and mode of operation\r\n- Video of FuxNet deploying and disabling the sensors\r\n- Selected dumps of their firewall and router configs.\r\n\r\n\r\nThe Op was conducted by BlackJack.\r\n\r\n--- After takedown report, 9th of April 19:58 UTC\r\n- About 1,700 sensor routers were destroyed. The central command-dispatcher and DataBase has been destroyed.\r\n => All 87,000 sensors are offline\r\n- Key-cards to enter the office and server rooms have been invalidated\r\n- All databases have been wiped.\r\n- All mail has been wiped.\r\n- A total of 30TB of data has been wiped. Including the backup drives.\r\n- Zabbix and other internal staging and monitoring servers have been wiped.\r\n- All admin workstations and most user workstations have been wiped.\r\n- Exhausted the corporate credit card.\r\n- Took control of their domain \"moscollector.ru\".\r\n => Our server stats: WEB Traffic, Email Traffic\r\n- Took down their Firewall and disabled their Internet.\r\n- Webpage has been defaced: https://web.archive.org/web/20240409020908/https://moscollector.ru/\r\n- Took over their Facebook: Blackjack Was Here, Slava Ukraini\r\n- Disabled 566 of their SIM cards / phones.\r\n- Data published at https://ruexfil.com/mos/takedown.\r\n--- Addendum, 15th of April 13:47 UTC\r\n- The fine people at Team82 wrote a report on FuxNet\r\n- Updated https://ruexfil.com/mos/takedown/post-hack-update with all 2,659 IPs of the sensor-gateways\r\n that were attacked. The list comes from bash_history, smvu and smvu2 databases found\r\n on various hosts of the target.\r\n- About 1,700 of the sensor-gateways were reachable and successfully attacked.\r\n- Uploaded some more screenshots about the multi-arch FuxNet binary and the Meter-Bus fuzzer/flooder.\r\n- We disabled smsd and all other means to reboot the sensor-gateways. Thus the sensor-gateways\r\n will keep flooding the Meter-Bus until somebody physially turns off the gateways.\r\n- The most under-reported dataset are the GPS coordinates of all sensors.\r\n It shows sensors with GPS coordinates in and around the Kremlin and sensors in other cities (not just Moscow)." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772360085", "to_ids": false, "type": "link", "uuid": "5f926961-0e64-4a60-961d-e213c1da2622", "value": "https://sansorg.egnyte.com/dl/uo9jc2aIri" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772360108", "to_ids": false, "type": "link", "uuid": "c43490d2-be70-495e-9e02-4dcf78999624", "value": "https://www.youtube.com/watch?v=TeIiQx8jgXQ" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772360108", "to_ids": false, "type": "link", "uuid": "d7b2071b-7d27-4e31-8b7b-95018a97cdc6", "value": "https://www.youtube.com/watch?v=CE6lMslmLLo" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772360144", "to_ids": false, "type": "link", "uuid": "ab2cd361-59b1-4473-9b1d-b9e35f0adbbb", "value": "https://hub.dragos.com/hubfs/Reports/Dragos_SB_Intel_Fuxnet_ICSMalware.pdf?hsLang=en" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772363788", "to_ids": false, "type": "link", "uuid": "19c1f357-eec5-4a50-aa34-944ffd927ae5", "value": "https://www.incibe.es/en/incibe-cert/blog/fuxnet-malware-paralyzed-ics-systems" } ] } }